Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

CCNA ICND - Jamie Is Weird

advertisement 
CCNA 640-801
ICND
1
LAN Switching and 2950 Configuration ............................................................................ 5
Some 2950 commands ................................................................................................ 5
Spanning Tree Protocol (STP) 802.1d ................................................................................ 7
Electing a Root Bridge ................................................................................................ 7
Costs and Ports............................................................................................................ 7
Designated Bridge ....................................................................................................... 7
BPDU Messages ......................................................................................................... 8
Timers ......................................................................................................................... 8
Etherchannel ............................................................................................................... 9
Portfast ........................................................................................................................ 9
Rapid Spanning Tree (802.1w) ................................................................................... 9
RSTP Link and Edge Types ...................................................................................... 10
RSTP Port Types....................................................................................................... 10
RSTP States .............................................................................................................. 10
Spanning Tree Commands ........................................................................................ 10
Virtual LANs and Trunking .............................................................................................. 12
ISL and 802.1q (1dotQ) ............................................................................................ 12
VLAN Trunking Protocol (VTP) .............................................................................. 12
VTP Pruning ............................................................................................................. 13
VTP Messages .......................................................................................................... 13
VTP Modes ............................................................................................................... 13
VLAN and Trunk Configuration .............................................................................. 14
IP Addressing and Subnetting ........................................................................................... 15
Powers of Two .......................................................................................................... 15
Prefix to Mask Conversion ....................................................................................... 15
Finding the Subnet Number ...................................................................................... 15
Subnet Range ............................................................................................................ 16
Enhanced Bob Maneuver .......................................................................................... 17
Subnetting Testing Example ..................................................................................... 17
Distance Vector & Static Routes ...................................................................................... 20
Static Routes ............................................................................................................. 20
Default Routing ......................................................................................................... 20
Distance Vector Concepts ......................................................................................... 20
Route Poisoning ........................................................................................................ 21
Split Horizon ............................................................................................................. 22
Poison Reverse .......................................................................................................... 22
Hold Down Timer ..................................................................................................... 22
Triggered Flash Updates ........................................................................................... 23
RIP & IGRP .............................................................................................................. 23
RIP & IGRP Commands ........................................................................................... 23
Multiple Routes to the same subnet in a Routing Table ........................................... 24
Administrative Distances .......................................................................................... 24
OSPF and EIGRP Concepts .............................................................................................. 25
OSPF Table Concepts ............................................................................................... 25
OSPF Router ID ........................................................................................................ 25
2
Hello Messages ......................................................................................................... 25
OSPF Designated Router .......................................................................................... 25
Designated Router Election ...................................................................................... 26
Database Exchange and Becoming Fully Adjacent .................................................. 26
Steady State Operation .............................................................................................. 26
Loop Avoidance ........................................................................................................ 26
Scaling OSPF with Areas.......................................................................................... 27
Stub Areas ................................................................................................................. 28
Advertising Areas ..................................................................................................... 28
Costs.......................................................................................................................... 28
Balanced Hybrid and IEGRP .................................................................................... 28
Neighbors and Sending Topology Information ........................................................ 28
EIGRP Successor and Feasible Successor Routes .................................................... 29
Classless/Classful...................................................................................................... 29
Query and Reply Process .......................................................................................... 29
OSPF Configuration.................................................................................................. 29
OSPF Exec Commands ............................................................................................. 29
Authentication with OSPF ........................................................................................ 30
EIGRP Configuration................................................................................................ 30
EIGRP Exec Commands ........................................................................................... 30
EIGRP Autosummarization ...................................................................................... 30
Advanced Routing Protocol Topics .................................................................................. 31
Route Summarization................................................................................................ 31
VLSM ....................................................................................................................... 31
Route Summarization Strategies ............................................................................... 31
Autosummarization ................................................................................................... 32
Default Routes .......................................................................................................... 32
Advanced TCP/IP Topics ................................................................................................. 33
CIDR ......................................................................................................................... 33
Private Addressing .................................................................................................... 33
Network Address Translation (NAT) ....................................................................... 33
NAT Configuration ................................................................................................... 33
Secondary IP Addressing .......................................................................................... 34
FTP and TFTP........................................................................................................... 34
VLAN trunking between a switch and a router. ....................................................... 35
Point-To-Point Leased Line Implementation.................................................................... 36
WAN Data Link Protocols ........................................................................................ 36
Configuration ............................................................................................................ 36
PPP Specific .............................................................................................................. 36
PAP & CHAP ........................................................................................................... 37
ISDN Dial-On-Demand .................................................................................................... 38
ISDN Channels ......................................................................................................... 38
ISDN Protocols ......................................................................................................... 38
Function Groups and Reference Points..................................................................... 39
ISDN Commands ...................................................................................................... 40
Frame Relay ...................................................................................................................... 41
3
LMI and Encapsulation Types .................................................................................. 42
Encapsulation and LAPF .......................................................................................... 42
DLCI Addressing ...................................................................................................... 43
Layer Three Addressing ............................................................................................ 44
Broadcast Handling ................................................................................................... 44
Frame Relay Service Interworking ........................................................................... 44
Default Frame Relay Settings ................................................................................... 45
Frame Relay Congestion Control.............................................................................. 45
Frame Relay Commands ........................................................................................... 45
IP Access Control List Security ........................................................................................ 47
Standard ACLs .......................................................................................................... 47
Extended ACLs ......................................................................................................... 48
Named ACLs ............................................................................................................ 48
Controlling Telnet Access with ACLs ...................................................................... 49
Recommendations ..................................................................................................... 49
4
LAN Switching and 2950 Configuration
When host A sends to host B, the format is as follows:
 If host A and host B are on two different networks, the destination MAC is not
host B’s MAC, but the MAC on the interface on the router separating host A from
host B. If they are on the same network, the destination MAC will be host B’s
switchport’s MAC.
 If the MAC is known, host A’s switch forwards directly to that destination MAC
(from information in the MAC table. If the MAC is not known, the switch
broadcasts the desired MAC out all ports except the source port.
MAC Table for the
switch:
0200.1111.1111 Fa0/2
0200.2222.2222 Fa0/2
0200.3333.3333 Fa0/3
0200.4444.4444 Fa0/4
In the graphic above, if PC1 wants to send to PC2, the destination MAC is the MAC
address for interface Fa0/2 on the Switch. But since the destination port is also the source
port, the switch blocks this from going through. However, since a hub is a broadcast
domain, PC2 answers the call.
If PC1 wants to get to PC3, its destination MAC will be the MAC for interface fa0/3 on
the switch. At this point, the hub broadcasts out to all hosts connected to it. PC3 will
answer the call.
Some 2950 commands
show port-security [interface x/y] [address]
interface vlan 20
ip address 10.1.1.4 255.255.255.0
ip default-gateway 10.1.1.1
interface fa0/2
duplex [full | auto | half]
speed [10 | 100 | 1000 | auto | nonegotiate]
switchport port-security mac-address [MAC]
(only allows that MAC on the interface)
swtichport port-security mac-address sticky
switchport port-security maximum [value]
switchport port-security violation [protect | restrict | shutdown]
5
show mac-address-table [static | dynamic] [address MAC]
sho controllers Ethernet-controller
clear mac-address-table [perm]
mac-address-table static aaaa.aaaa.aaaa fa0/10 vlan 20
6
Spanning Tree Protocol (STP) 802.1d
Spanning tree protocol prevents loops in switching environments with redundant links. It
does this by electing a root bridge and shutting down ports that are redundant, using them
only in the event of a failover.
Electing a Root Bridge
1. At first, all switches will claim to be the root bridge, or a new switch added to an
existing network will claim it. Every switch sends out BPDU messages containing
Bridge ID and its cost to the root. If there is no defined root, the election takes
place.
2. The bridge ID = Priority + MAC, the LOWER the better. The default priority for
Cisco switches is 32,768, so it really comes down to which interface has the
lowest MAC.
3. The switch with the lowest bridge ID becomes the root bridge. If a new switch
joins the network and has a lower bridge ID, the original root bridge stops
advertising itself as the root and the new switch becomes the root and advertises
itself as such. All paths to the root recalculate as new BPDU messages are sent
out.
4. The remaining, nonroot bridges must determine which ports will remain in a
forwarding state, and which – if any – will go into a blocking state. To do this,
each switch calculates its cost to the root bridge. The starting cost is 0 and
increments downstream the farther you go from the root.
5. Cost is based off of speed:
Speed
Cost
10 mbps
100
100 mbps 19
1 gbps
4
Costs and Ports



Ports on the root bridge are called designated ports and are always forwarding
Ports on switches that lead directly to the root bridge are called root ports and are
always forwarding
Cost determines which non-root ports on other switches are forwarding. By
design, ports with the highest costs are put into a blocking state to prevent loops
Cost can be manually set on a desired interface for design purposes:
(conf-if)# spanning-tree cost x
Designated Bridge



The switch with the lowest Bridge ID that is not the root becomes the Designated
Bridge.
Its port leading to the root bridge, is a root port like normal.
All other ports are designated ports and are forwarding.
7

Designated bridges will serve as the “tie-breaker” for who remains forwarding or
blocking when multiple switches have equal costs to the root.
In the graphic above, lets assume that Switch One’s Fa0/1 has the lowest Bridge ID,
making it the Root Bridge.
 Both of the interfaces on the root bridge become Designated Ports and are
forwarding.
 The next lowest Bridge ID that is not the root Bridge, let’s assume is interface
Fa0/2 on Switch Three. This makes Switch Three the Designated Bridge.
 Switch Two Fa0/1, Switch Three Fa0/2, and Switch Four Fa0/1 are all declared
root bridges because they have the lowest cost back to the root.
 Switch Two Fa0/2 uplinks to Switch Three’s root port, so it must remain as a
Designated Port in a forwarding state.
 Switch Four Fa0/2 is considered a redundant link because it is not supporting a
root port and has a high cost. This port is put into a blocking state, preventing any
chance of a loop.
BPDU Messages





Hello BPDUs are sent every two seconds from the root bridge. Hello timer.
The Hello BPDU contains the Bridge ID of the root and the cost.
Each switch forwards the Hello message, incrementing the cost
If hellos do not come, a re-election may take place. This is based on MaxAge and
is usually 20 seconds.
A switch will send a Topology Change Notification (TCN) when this happens.
This forces the other switches to remove invalid entries from their MAC table.
Timers


The time spending the listening state is defined by the Forward Delay timer. It is
15 seconds by default
The learning state lasts for 15 seconds
8


MaxAge is 20 seconds
Re-convergence of STP can take 50 seconds total.
Etherchannel





Combines 2 – 8 parallel Ethernet trunks between the same pair of switches
Treated as a single link
Rapid / instant failover
Eliminate STP convergence created by TCNs (or at least lower it)
Provides more bandwidth
conf t
int fa0/3
channel-group 5 mode on
(Configure both switches with the same group#, all interfaces.)
show etherchannel 5 [detail | port | port-channel | summary]
Portfast





Allows switch ports to automatically enter a forwarding state when a device is
plugged in
No listening or learning states
Use only for end user connections (or servers), not for ports to other switches,
which participate in STP
BPDU guard, if inabled, will shut down a portfast enabled port if it receives a
hello BPDU on it
Do not use portfast on trunk ports or uplinks to routers, only access ports
cont t
int fa0/17
spanning-tree portfast
Rapid Spanning Tree (802.1w)





Elects the root bridge the same as STP
Elects designated bridge the same as STP
Uses forwarding and blocking states the same as STP, but RSTP calls blocking
“discarding”
Can be deployed alongside STP
RSTP has faster convergence
RSTP switches whose interfaces trunk with STP will have those interfaces fall back to
STP (802.1d). Interfaces trunked to other RSTP interfaces on other switches will remain
at 802.1w
9
RSTP Link and Edge Types



Link-type point-to-point (A*)
Link-type shared (B)
Edge type (C)
*Convergence increase is here
RSTP Port Types
RSTP Role
Root Port
Designated Port
Alternate Port
STP Role
Root Port
Designated Port
N/A
Backup Port
N/A
Disabled
N/A
Definition
The port in each switch that hears the best BPDU
The port that advertises the best BPDU
A port that receives a suboptimal BPDU
(discarding)
A non designated port that exists on the same
segment / collision domain as another port on the
same switch (discarding)
Administratively disabled
RSTP States
RSTP State
Discarding
Learning
Forwarding
Disabled
Disabled ports are discarding in RSTP
STP State
Blocking or Listening
Learning
Forwarding
Disabled
Spanning Tree Commands
spanning-tree portfast
spanning-tree vlan 20 root [primary | secondary]
spanning-tree vlan 20 [priority priority]
spanning-tree cost cost
spanning-tree priority [1 – 65535]
show spaning-tree [brief]
show spanning-tree interface fa0/14
show spanning-tree vlan 40
debug spanning-tree
spanning-tree portfast bpduguard
10
errdisable recovery cause bpduguard
errdisable recovery interval 400
show spanning-tree summary totals
show errdisable recovery
channel-group 5 mode [auto | desirable | on]
show etherchannel 5 [detail | port | port-channel | summary]
Devices attached to ports with bpduguard will not participate in spanning tree. If said
device transmits a bpdu packet while on that port, bpduguard disables the port.
11
Virtual LANs and Trunking



A VLAN is a logical broadcast domain
Multiple VLANs on a switch can traverse a trunk
Trunking sends traffic for multiple VLANs over one link from one switch to
another.
ISL and 802.1q (1dotQ)
These are the two types of trunk encapsulation.
ISL
Standards
Cisco (proprietary)
Encapsulates the original frame Yes
Multiple Spanning Tree
Yes, with PVST+
Use native VLAN
No
Allow 12-bit VLAN field
Yes
Dot1Q
IEEE
No
Yes, with PVST+ or 802.1s
Yes
Yes
PVST = Per-VLAN Spanning Tree. This is Cisco proprietary but can traverse dot1Q
trunks to allow multiple spanning trees. Dot1Q can use 802.1s which does the same
thing. 802.1s is Multiple Spanning Tree Protocol.
VLAN Trunking Protocol (VTP)


Carries VLAN information across trunks
Allows switches to dynamically learn about VLANs on other switches
VTP floods advertisements throughout the VTP domain every 5 minutes, or whenever
there is a change of configuration. VTP Advertisements contain a configuration revision
number. This number increments by one every time a change is made.
VTP operates in three modes: Server, Client, and Transparent
Originate VTP Messages
Synchronize configurations with other switches
Forwards VTP advertisements
Saves VLAN configuration in NVRAM
Create, modify, delete VLANs




Server
Yes
Yes
Yes
Yes
Yes
Client
No
Yes
Yes
No
No
Transparent
No
No
Yes
Yes
Yes
Transport mode is almost like disabling VTP for that switch. Although the switch
will still forward VTP information across its trunk, it acts independently of the
other switches participating in VTP synchronization in that domain.
Client mode doesn’t store VLAN information, hence it won’t allow you to modify
VLAN information.
VTP domain names must be the same in order to share VLAN information.
Ports configured as trunk ports will not show up in a show vlan. Trunk ports do
not belong to VLANs.
12

Revision numbers change when VLANs are modified. But, c=hanging a VTP
domain name does not incur a revision number increment, it resets it zero!
VTP Pruning
Trunk traffic contains information for all VLANs. Broadcasts are sent to every switch on
the network. But in most cases, a switch does not have interfaces in every VLAN. VTP
pruning allows switches to prevent broadcasts and unknown unicasts from flowing to
switches that do not have any ports in that VLAN.
VTP Messages
Summary Advertisements – Server moded and Client moded switches send out summary
advertisements every five minutes to inform other switches of domain name and revision
number.
Subset Advertisements – Sends a list of VLANs to client and server moded switches.
This is the database.
Advertisement Requests – Sent when a client or server moded switch restarts, the VTP
domain name changes, or if the revision number is higher than what is being advertised.
If this happens, the switch requests a Summary advertisement and then a Subset
Advertisement.
Example One: A switch restarts. When the switch comes up, it requests a summary
advertisement. If its revision number is the same, then no further action is taken. If the
revision number is lower than what is being advertised, it will request a subset
advertisement. If the revision number of the switch is higher than what is being
advertised, the other switches on the domain (server and client moded only) will request a
subset advertisement of it.
Changing a switch’s domain name or putting it in transparent mode resets the revision
number to zero. This is useful for bringing in a new switch that has known higher
revision number than the other switches in the domain. But be sure a switch in a different
domain does not split connectivity between two switches in the same domain, or else
those two will never share VTP information. VTP will not traverse beyond its own
domain.
VTP Modes
Option
Access
Function
Disables port trunk mode and does
not even attempt to form a trunk
on the interface. Host ports are
Access ports.
Trunk
Configures the port as a permanent
trunk
Dynamic Desirable Negotiates and will trunk if the
connected device is anything but
Access.
Dynamic Auto
Lets a port become a trunk only if
Trunks to
Will never trunk.
Always tries to Trunk. Will
not trunk with Access.
Negotiates Trunk. Trunk to
anything but Access.
Trunk only to Trunk or
13
the connected device is Dynamic
Desirable or Trunk.
Dynamic Desirable. Will not
trunk with another Auto.
VLAN and Trunk Configuration
vtp mode [client | server | transparent]
vtp domain name
vtp password password
vtp pruning
vtp version 2
vlan 20
vlan Accounting
Router(sub-if)# encapsulation dot1q 20
Switch(sub-if)# switchport access vlan 20
switchport trunk allowed vlan 5, 10
switchport trunk allowed vlan add 20, 25
switchport mode [access | dynamic | auto | desireable | trunk]
switchport access vlan 20
show vlan [brief | id id | name name]
show vlan 40
show vtp status
show spanning-tree vlan 40
14
IP Addressing and Subnetting
Subnetting steals bits from the host part of an address.
Class A: NNNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH
Class B: NNNNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH
Class C: NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH
For example, one bit is used to subnet a Class A address. You can think of it the same as
writing out:
NNNNNNNN.SHHHHHHH.HHHHHHHH.HHHHHHHH or a mask of 255.128.0.0.
The number of Hosts can be calculated by doing 2x – 2 where X = the number of host bits
in the address. To calculate the number of subnets, you can use the same equation, but
where X = the number of subnet bits. Keep in mind, though, when calculating the number
of subnets, if the “subnet zero” command is in use, you will not have to subtract 2.
Powers of Two
21
22
23
24
25
26
27
28
29
210
211
212
213
214
215
216
2
4
8
16
32
64
128
256
512
1024
2048
4096
8192
16384
32768
65536
Prefix to Mask Conversion
Octet
1
2
3
4
128
/1
/9
/17
/25
192
/2
/10
/18
/26
224
/3
/11
/19
/27
240
/4
/12
/20
/28
248
/5
/13
/21
/29
252
/6
/14
/22
/30
254
/7
/15
/23
/31
255
/8
/16
/24
/32
Finding the Subnet Number
The subnet number is the value each subnet will increment within a network. For
example, if the number is 32 and your network is 192.168.0.0, your subnets will be:
192.168.0.0
192.168.32.0
192.168.64.0
192.168.96.0
192.168.128.0
Etc.
There are only nine numbers open to this, based on the number of subnet bits are being
used to create the subnet.
15
Mask
Octet
0
128
192
224
240
248
252
254
255
Decimal
Value
0000 0000
1000 0000
1100 0000
1110 0000
1111 0000
1111 1000
1111 1100
1111 1110
1111 1111
Subnet
Number
0
128
64
32
16
8
4
2
1
A quick way to calculate subnet increments is to subtract the interesting
octet in the mask from 256. For example, if the mask is 255.255.192.0,
the interesting octet is 192 and the subnets in this network will increment
by 64. If the mask is 255.255.0.0, your subnets increment by 1.
Subnet Range
Once you have the subnet number, you can determine the range of the subnetwork. The
first address is the network address. This address is usually .0 if subnet zero is enabled. If
you had a network of 172.22.0.0 subnetted with a mask of 255.255.192.0, your first
subnet would be:
172.22.0.0
The next subnet would be:
172.22.64.0
The first available address that can be used for hosts in the first subnet is 172.22.0.1 and
the last address would be 172.22.63.254. The address of 172.22.63.255 is that network’s
broadcast address, and cannot be assigned to a host. So you have 2x host addresses but
you must subtract two for the network address and the broadcast address.
Here is the first three subnets of that network written out longhand:
Subnet 1 Network Address
172.22.0.0
Subnet 1 First valid IP
172.22.0.1
Subnet 1 Last valid IP
172.22.63.254
Subnet 1 Broadcast Address
172.22.63.255
Subnet 2 Network Address
172.22.64.0
Subnet 2 First valid IP
172.22.64.1
Subnet 2 Last valid IP
172.22.95.254
Subnet 2 Broadcast Address
172.22.95.255
Subnet 3 Network Address
172.22.96.0
Subnet 3 First valid IP
172.22.96.1
Subnet 3 Last valid IP
172.22.127.254
Subnet 3 Broadcast Address
172.22.127.255
16
Enhanced Bob Maneuver
Everyone knows this chart and its credit has been given to an unknown tech named
“Bob” in Networking lore. This chart compiles the shorthand numbers and calculations
for subnet information.
1
128
128
2
0
/25
2
192
64
4
2
/26
3
224
32
8
6
/27
4
240
16
16
14
/28
5
248
8
32
30
/29
6
252
4
64
62
/30
7
254
2
128
126
/31
8
255
1
256
254
/32
# of Bits
Subnet Mask
Subnet Number
# Subnets (2x)
# Hosts
Prefix
The chart is friendly to Class C addressing, but with a little tweaking the same numbers
and principles can be applied to any class.
Subnetting Testing Example
On the CCNA exam, you will need to subnet a network from a diagram shown where
they give you the number of hosts in each network and give you a choice of networks to
choose from that will best support the number of hosts required. The steps needed to
answer this question are the same steps one would take to subnet a new network in the
field.
This is called Variable Length Subnet Masking (VLSM) and it is allows us to subnet in
different increments on the same network.
You are subnetting with a 192.268.2.0 Network.
1) Determine how many host bits are needed to satisfy the largest network.
a. Network [A] is the largest with 50 hosts
17
b. 2x – 2 must be greater than or equal to 50.
c. 2 to the 5th is 32, but 2 to the 6th is 64, which will give us enough
addresses for this network
A quick way to calculate figure out the number of hosts without doing
the powers of 2, is to subtract the number of host you need from 254. In
the above case, 254 – 50 = 204. When we consult the Enhanced Bob
chart, we see that the closest mask for that number, without going over is
.192 or, which provides us 64 hosts.
2) Pick a subnet for the largest network to use. These will be in increments of 64, so
our options are:
a. 192.168.2.0
b. 192.168.2.64
c. 192.168.2.128
d. 192.168.2.192
3) Pick the next largest network, in this case Network [B] with 27 hosts and
determine the network using the same methods as before. 2x – 2 must be greater
than or equal to 27, so our best option is 5, giving us 25 – 2 or 30. So we need to
use a mask of .224 which will grant us 32 total addresses (subnet and broadcast
included).
4) Lets say we chose 192.168.2.0 for network [A], this means for network [B] our
options are:
a. 192.168.2.64
b. 192.168.2.96
c. 192.168.2.128
d. 192.168.2.160
e. 192.168.2.192
f. 192.168.2.224
5) Pick the next largest network. Both [C] and [D] require 12 hosts, so 2x – 2 must
not exceed 12. If X = 4, then we get 24 – 2 or 14. For this, the closest mask is .248
which will grant us 16 total addresses.
6) Assume we used 172.22.64.0 as the address for network [B]. This will allow us to
take the following addresses for either [C] or [D].
a. 192.168.2.96
b. 192.168.2.112
Etc.
7) Finally determine the addresses for the serial links which require two hosts each.
This is the same as saying 22 – 2 or 2! The mask that meets this requirement is
.252 which gives us the 4 total addresses we need.
8) Assuming we used 172.22.96.0 and 172.22.112.0 for [C] and [D] respectively, we
can use any of the following networks and still have room for growth on our
network for the future:
a. 192.168.2.128
b. 192.168.2.132
c. 192.168.2.136
18
d. 192.168.2.140
Etc.
The Breakdown
Network A (64 total hosts)
Network Address: 192.168.2.0
Host Range: 192.168.2.1 – 192.168.2.62
Broadcast Address: 192.168.2.63
Network B (32 total hosts)
Network Address: 192.168.2.64
Host Range: 192.168.2.65 – 192.168.2.94
Broadcast Address: 192.168.2.95
Network C (16 total hosts)
Network Address: 192.168.2.96
Host Range: 192.168.2.97 – 192.168.2.110
Broadcast Address: 192.168.2.111
Network D (16 total hosts)
Network Address: 192.168.2.112
Host Range: 192.168.2.113 – 192.168.2.126
Broadcast Address: 192.168.2.127
Network E (4 total hosts)
Network Address: 192.168.2.128
Host Range: 192.168.2.129 – 192.168.2.130
Broadcast Address: 192.168.2.131
Network F (4 total hosts)
Network Address: 192.168.2.132
Host Range: 192.168.2.133 – 192.168.2.134
Broadcast Address: 192.168.2.135
Network G (4 total hosts)
Network Address: 192.168.2.136
Host Range: 192.168.2.137 – 192.168.2.138
Broadcast Address: 192.168.2.139
Network H (4 total hosts)
Network Address: 192.168.2.140
Host Range: 192.168.2.141 – 192.168.2.142
Broadcast Address: 192.168.2.143
19
Distance Vector & Static Routes
Static Routes
Manually entered into a router. These routes take precedence over any route that was
learned dynamically, with the exception of directly connected routes. The administrative
distance for a static route is one.
ip route 10.1.2.0 255.255.255.0 10.1.128.252
This static route means that anything destined for the 10.1.2.0 network will be routed out
the interface with the IP addresses of 10.1.129.252. Conversely, the command can be
written thus:
ip route 10.1.2.0 255.255.255.0 Serial0
The IP Address set in a static route for the destination is used for the next hop router. It is
not an IP on the local router.
You can also provide the optional permanent keyword. This specifies that the route will
not be removed, even if the interface shuts down.
ip route 10.1.2.0 255.255.255.0 Serial0 permanent
Setting a static administrative distance can also be used if you do not want a static route
to take precedence over a route that was learned dynamically.
ip route 10.1.2.0 255.255.255.0 Serial0 200
Default Routing
You can also use a static route to declare a default gateway. For example, this command:
ip route 0.0.0.0 0.0.0.0 10.1.2.1
Is the same as this command:
ip default-gateway 10.1.2.1
Distance Vector Concepts
Routers learn routes from neighbors and via the neighbors of neighbors. But with a
router’s neighbor’s neighbors, the metric goes up. The metric will increase the further
downstream you go. Some routes are better than others, and a router will choose the route
with the lowest metric.
For redundant routing topology, the routing protocol has built in loop avoidance features.
Issue
Multiple Routes to the same subnet have
equal metrics.
Loops from updates passing each other
over a single link / counting to infinity on a
single link.
Solution
Often uses the first route learned but keeps
all multiple routes in the routing table.
Split Horizon: only advertises routes out an
interface if that interface did not learn said
route from that interface.
Split Horizon with Poison Reverse: When a
route fails, it will advertise out all
20
Loops from routing information loops
through alternative paths / counting to
infinity on a single link.
Counting to infinity on multiple links to
many subnets.
interfaces; but with an infinite distance
metric.
Route Poisoning: When a route to a subnet
fails, the route is advertised w/ an infinite
distance metric.
Hold Down Timer: After a route fails, the
router waits X amount of time before
believing any other route information about
that subnet.
Triggered Updates: After a route fails, an
update is sent immediately rather than
waiting for the timer to expire. Used in
conjunction with Route Poisoning.
Route Poisoning
Route Poisoning begins when a router notices that a connected router is no longer valid.
Instead of not advertising, routers that use route poisoning will advertise this invalid
router, but with an infinite metric. Other routers see this huge metric and consider the
route invalid. For example, with RIP, a metric of 16 is considered “infinite”.
1) The Route to B’s E1 to subnet 10.1.1.0 goes down.
2) Router B sends out infinite metric advertisements to A + C which consider them
invalid.
3) Just in case A gets B’s advertisement before C, or vice versa, the router ignores
all advertisements about B’s route to 10.1.1.0 and then both routers remove the
route.
21
Distance Vector routing protocols are classful routing protocols and
cannot support VLSM. “ip classless” is enabled by default on Cisco
routers. Enter “no ip classless” when using distance vector protocols such
as RIP and IGRP.
Split Horizon
With Split Horizon, a router will not accept a route update into a port it advertised that
same route from. For example, router one tells router two that it can get to the 10.1.1.0
network via its E1 interface. Router two receives this update on its S1 interface. Router
two will tell other routers about the 10.1.1.0 network on Router one, but it will not
advertise that route out its S1 interface; because that is the interface it learned the route
from. This prevents routing loops in the event a route should fail.
Poison Reverse
Split Horizon will poison if a route goes down. This is called Poison Reverse. Poison
Reverse advertisements go out ALL of the router’s interfaces as an infinite distance
metric. This includes the interfaces prevented by Split Horizon. Poison Reverse is Route
Poisoning that breaks the Split Horizon rule.
Hold Down Timer
Hold Down timers defeat the counting to infinity problem on networks with multiple
paths to many subnets.
1) Router B loses its connection to the network off E1 and advertises to its
neighbors, A and C, with an infinite distance metric to indicate that the route is
down.
2) Router C sends an update to Router A at the same time or after Router B’s
advertisement. This confuses Router A and it does not know which route is
correct.
3) A loop ensues as it thinks it knows a way to get to the 10.1.1.0 network.
22
To prevent this, Hold Down timers would tell Router C not to believe anything
concerning Router B until a certain period of time. Eventually, Router A gets its story
straight and it stops advertising outdated information.
Triggered Flash Updates
In the example above, a triggered flash update would also prevent this. This sends news
of a failed route immediately, warning its own neighbors right away, so they can kick off
their hold down timers sooner rather than later. Update Timer is ignored, essentially, by
the router with the downed route.
RIP & IGRP
RIP default settings
Update Timer
30 seconds
Metric
Hop Count
Hold-down Timer
180
Flash Updates
Yes
Mask sent in update
No
Infinite Metric Value
16
A “show ip protocols” displays timer information.
IGRP default settings
90 seconds
Bandwidth and Delay
280
Yes
No
4,294,967,295
RIP & IGRP Commands
router rip [database]
version 2
ip rip [send | receive] version [1|2]
router igrp AS Number
bandwidth
network net-number
passive-interface
maximum paths number
variance multiplier
traffic-share [balanced | min]
default-information originate
sho ip router
sho ip protocols
debug ip rip
debug ip igrp transactions
debug ip igrp events
IGRP uses the bandwidth command on each interface to determine that interface’s
bandwidth. The default is 1544 (T1 speed). By default, IGRP will treat a T1 the same as a
64k link unless the bandwidth command is set on the interface with the 64k link.
bandwidth 64
23
Multiple Routes to the same subnet in a Routing Table
When a better route comes along, the better route replaces the old one. When they tie, the
router needs to decide what to do.
With RIP, load balancing ensues, allowing four routes by default.
For IGRP, which considers bandwidth and delay for metric, links are seldom truly equal.
The variance command defines a multiplier – any metrics lower than the product of the
lowest metric and the variance are considered equal.
For example, if the metric for the better of two routes was 100 and the variance is set to
two, IGRP would consider a second route to be equal if the metric was less than 200.
The traffic-share min command tells the router to use the route that truly has the lowest
metric. But this drops your other routes from the table, so if your first route fails, you
need to wait for convergence.
Administrative Distances
Connected
Static
EIGRP Summary
EBGP
EIGRP Internal
IGRP
OSPF
IS-IS
RIP
EIGRP External
iBGP
0
1
5
20
90
100
110
115
120
170
200
24
OSPF and EIGRP Concepts
Both are link-state routing protocols, but use different methods for determining metric.
OSPF Table Concepts
1) Each router discovers its OSPF neighbors and keeps them in a neighbor table.
Unless the connection to the neighbor is point-to-point, a Designated Router and
Backup Designated Router are elected
2) Each router uses a reliable protocol (LSAs) to exchange topology information
with its neighbors.
3) Each router places learned topology information into its topology database.
Neighbors become fully adjacent.
4) Each router runs the SPF algorithm against its own topology database to find the
best routes.
5) Each router puts the best routes into its routing table.
OSPF Router ID
To uniquely identify each router in a router’s databases, OSPF uses Router IDs. The
Router ID is equal to the highest IP of its active interfaces. If there is a loopback address
set, the loopback address will always be the Router ID.
Hello Messages
OSPF routers can become neighbors if they are connected to the same subnet. They do
not have to be directly connected. To discover neighbors, an OSPF router sends a hello
message. All routers on the subnet participating in OSPF send their own hello message
back.
A hello message contains information about a router and its neighbors. In this way, every
OSPF router knows about every other OSPF router, providing they are in the same area.
To become neighbors, routers – even on the same subnet – must agree on the following:
 Subnet Mask
 Subnet Number
 Hello Interval
 Dead Interval
 OSPF Area ID
All of this information is contained in the hello message. The process ID# does not need
to match. In OSPF, “show ip ospf interfaces” displays OSPF hello timer settings. By
default, the hello interval is 10 seconds, and the dead interval is 40 seconds.
OSPF Designated Router
In some cases, a Designated Router (DR) must be elected for the subnet before Database
Description (DD) packets, containing LSAs, can be exchanged between routers. DRs are
not needed on a point-to-point topology. DDs with LSAs just send back and forth.
25
The loss of a DR may cause convergence slowness, so OSPF includes a Backup
Designated Router (BDR) on each subnet. A “show ip ospf route” will display which
router is a DR or BDR and which is neither (DROTHER).
Designated Router Election







Router with the hightest OSPF priority becomes the DR
If tied, the highest Router ID will break the tie. OSPF priorities are the same by
default, so unless manually modified, the Router ID will always determine who
will be the DR.
A priority of 0 means that router can never be a DR
Priority range is 1 – 255
If a new router joins with a higher priority, OSPF does not declare a new DR.
Instead, the new router must wait for the DR or BDR to fail.
If the router has a loopback address, that address will be used for the Router ID.
DR and bDR anre elected in broadcast and nonbroadcast multi-access networks
Router(config-if)#ip ospf priority x
Database Exchange and Becoming Fully Adjacent
On interfaces with no DR, OSPF updates are sent to all neighbors on that interface by
unicast. On interfaces with a DR, the non-DR routers send to the DR & BDR using
224.0.0.6 multicast. Then the DR relays the updates using 224.0.0.5.
The router can now exchange its topology database with its neighbors. Large amount of
information is sent. Once this is done, the router transitions into a “full” state.
A “show ip ospf neighbor” lists the neighbors in full state. A neighbor in full state is fully
adjacent. Once a router is fully adjacent to its neighbor, it can run the SPF algorithm and
update its routing table.
Routers that are not DRs or BDRs do not exchange routing updates with outer routers
that are also not DR or BDR. Therefore, thse neighbors will not become fully adjacent
and won’t show up on a “show ip ospf int” command.
Steady State Operation
In OSPF, when a router fails to hear hellos from its neighbor for the dead interval, the
router takes the silence as an indication of failure. Dead Interval default is four times the
hello interval (defaults are 10 and 40 respectively). Then the silent router is flagged
“down” and the SPF algorithm runs again to find good routes. Also, the router flood
topology updates to its neighbors to let them know its one neighbor is down, so that they
may also run the SPF algorithm to recalculate new routes.
Loop Avoidance
Unlike distance vector protocols, link-state routers know about a failure quickly and
flood this information immediately. There is no need for split horizon, poisoning, or hold
down timers.
26
Scaling OSPF with Areas
Large networks should be managed to get the best performance. A large topology
database requires more memory and processing. A single status change forces every
router to run SPF again, so if your environment is large, performance degrades.
OSPF uses areas to break up the network so that routers need to know less topology
information. It is also easer to consider an OSPF environment if areas map to logical
sites. A large network broken into areas will greatly improve performance.
For example, you do not want this OSPF network in one Area.
Breaking this network into areas makes things more manageable and improves
performance.
Router 3 is considered and OSPF Area Boarder Router (ABR) because it boarders two
different areas. Router 3 advertises summary information about routers in area 0, not
fully topology. This is the same for Router two.
OSPF uses area 0 as the backbone area. All other areas must connect to this area.
27
Stub Areas
Stub Areas have no other neighboring areas save the backbone area.
 Totally Stubby
 Not-So-Stubby
 Totally Not-So-Stubby
Advertising Areas
OSPF Advertises interfaces, not networks. The wildcard mask in the “network”
command determines which interfaces to advertise. For example:
network 172.16.10.0 0.0.0.255 area 0
This means that any interface that has an IP of 172.16.10.something will be placed into
area 0.
Costs
OSPF cost equals 108 / Bandwidth (108 = 100,000,000)
 100 mb link = 1
 10 mb link = 10
 1.544 mb (t1) = 64
 65k = 1562
Balanced Hybrid and IEGRP





Cisco proprietary
Same logic used for equal cost paths as IGRP
EIGRP converges quickly
EIGRP sends routing information once to a neighbor, then only sends updates
EIGRP can exchange IPX and Appletalk
1) EIGRP routers discover other EIGRP routers attached to the same subnet. They
add these to the neighbor table.
2) EIGRP exchanges topology information with known neighbors – placing them
into a topology table. There is no DR or BDR.
3) EIGRP reviews the topology table and puts the lowest metric routes into the
routing table.
4) EIGRP will have a neighbor, topology, and routing table for each protocol it uses
(IPX, IP, Appletalk).
Neighbors and Sending Topology Information
After neighbor discover (and neighbor table population) and full routing update (and
topology table population), EIGRP sends continuous hellos. These are different from the
OSPF hellos, but they perform the same function.
A Hello Interval defines how often hellos are sent. Default for EIGRP is 5 seconds on
LAN and point-to-point WAN links and 60 seconds on multipoint WANS like Frame
Relay. EIGRP uses update messages to convey topology information to its neighbors,
sent to multicast 224.0.0.10.
28
Updates are sent via Reliable Transport Protocol (RTP). Since it is reliable it will
retransmit packets lost in transit. RTP helps EIGRP avoid loops.
EIGRP Successor and Feasible Successor Routes
A successor route is the best route and it is selected from the topology table by way of the
DUAL algorithm. Feasible success routes are the next best route which will not cause a
loop. These are also chosen from the topology table. Successor Routes are kept in the
Routing Table. Feasible Successor Routes are kept in the Topology Table.
Classless/Classful
By default, EIGRP is classful. To make it classless, use “no auto-summary”
Query and Reply Process
If a route fails and there is no feasible successor, EIGRP uses and algorithm called
Defusing Update Algorithm (DUAL). DUAL finds the best, loop-free, route from the
topology table and adds it to the routing table. DUAL queries the router of the desired
new route and that router sends a reply.
OSPF Configuration
default-information originate
router ospf proc-id
network ip wildcard area area-id
ip ospf cost interface cost
bandwidth bandwidth
auto-cost reference bandwidth number
is ospf hello number
ip ospf network type
interface loopback0
clear ip ospf process
ip ospf priority x
To find an IP’s wildcard, take a 0 for 255s, take a 255 for a 0, and for
anything subnetted, subtract that number from 255.
i.e.: to convert 255.255.252.0 to a wild card, take 0s for 255 for 0.0. and
then subtract 252 from 255 to get 3. Finally take a 255 for a 0 to wind up
with 0.0.3.255.
OSPF Exec Commands
show ip route
show ip route ospf
Show ip protocols
show ip ospf interface
show ip ospf protocols
show ip ospf neighbor
debug ip ospf events
debug ip ospf packet
debug ip ospf hello
29
Authentication with OSPF
Router(config-router)# area 0 authentication
Router(config-router)#area 0 authentication message-digest
Router(config-router)#exit
Router(config)#interface fa0/0
Router(config-if)#ip ospf authentication-key fred
Router(config-if)#ip ospf message-digest-key 1 md5 fred
(clear text authentication)
(MD5 encryption)
(for clear text authentication)
(for MD5 encryption)
Authentication configs must be the same on both routers, keyword (i.e. “fred”) and authentication
types must match.
EIGRP Configuration
router eigrp AS#
network ip
maximum-paths #
variance multiplier
traffic-share [balanced | min]
eigrp log-neighbor-changes
EIGRP Exec Commands
show ip route
show ip protocols
show ip eigrp neighbors
show ip eigrp topology
show ip eigrp traffic
debug ip eigrp
bandwidth X
EIGRP Autosummarization
Router(config-router)# no auto-summary
Router(config-router)#auto-summary
Interface fa0/0
Ip summary-address eigrp 100 10.10.0.0 255.255.0.0
30
Advanced Routing Protocol Topics
Route Summarization
Reduces the size of a routing table. Summary routes, which replace multiple routes, must
be configured by the network engineer.
Without summarization, R2’s routing table shows three routes for its LAN networks, 4
routes from R1, and 4 routes from R3. That is 11 total subnets, all with a mask of
255.255.255.0
On R1:
configure terminal
interface serial 0/0
ip summary-address eigrp 1 10.2.0.0 255.255.0.0
On R3:
configure terminal
interface serial 0/0
ip summary-address eigrp 1 10.3.0.0 255.255.0.0
Now R1 and R3 will each advertise one route and R2 will have a total of three routes in
its routing table.
R2’s routing table:
10.0.0.0 /8 is variably subnetted, 9 subnets, 2 masks
D 10.2.0.0 /16 is a summary, 00:04:57, Null0
D 10.3.0.0 /16 [90/2684416] via 10.1.4.1, 00:04:30, Serial 0/0
Distance vector protocols such as RIP and IGRP cannot perform manual route
summarization.
VLSM
More than one mask is used in a single Class A, B, or C network. VLSM is required for
route summarization so it can only be used by protocols like RIP v2, OSPF, and EIGRP.
Route Summarization Strategies
1. Find the octets of the routers you want summarized that are alike
2. Review the range and find the mask that gives the best fit.
31
Autosummarization
RIP and IGRP have it on by default, it cannot be disabled. RIP v2 and EIGRP can have it
enabled or disabled “no auto-summary” and “auto-summary”
RIP and IGRP are classful so that is the best they can do. Autosummarization is classful.
The problem with autosummarization and classful routes is that networks must be
contiguous. If a router has summarized the routes of 10.2.0.0 and 10.3.0.0 into 10.0.0.0
/8, then it won’t really know where to send 10.4.0.0 because it still considers that address
as part of 10.0.0.0 /8.
Default Routes
The choice whether a router uses classless or classful routes determines how that router
uses its default route. Default routes may be entered as a static route or with the defaultgateway command.
With classless routing, a default route might not be used even if there is one in place.
Classless routing will not use a default route if there is a close match to the destination IP
in its routing table. An autosummarized route in a classless routing protocol’s routing
table may act as a default route in lie of a legitimate, desired default route.
Classful
1. Router A pings 192.168.200.1
2. The autosummarized 192.168.0.0 /16 is
in Router A’s routing table, so a match is
assumed and no gateway is used.
3. But there is no match in router A’s
192.168 subnet for .200
4. Packet is discarded
Classless
1. Router A pings 192.168.200.1
2. There is no specific match to the
192.168.200.0 network in the routing table.
3. Packet is sent out the gateway.
4. Packet is received on 192.168.200.1
32
Advanced TCP/IP Topics
CIDR
Aggregates multiple network numbers into a single routing entity. Less entries in a
routing table. These are classless and it will only aggregate consecutive network
numbers.
Private Addressing
Used for addressing networks that to not touch the internet.
Private IP Range
Class
10.0.0.0 – 10.255.255.255
A
172.16.0.0 – 172.31.255.255
B
192.168.0.0 – 192.168.255.255 C
# of Networks
1
16
256
Network Address Translation (NAT)
Masks private addresses behind a public address(es). There are three types of NAT:
 Static – A one-to-one mapping of a private to a public address. You need a public
IP for every host that needs the internet
 Dynamic – one-to-one mapping from a pool. If all the public IPs from the pool are
used up, any new hosts will have its packets discarded. Requires an ACL to allow
the addresses out.
 NAT Overloading (PAT) – Port Address translation. Scales many clients with
only a few public IP addresses. Used like ports are used in TCP. It selects not only
an inside global IP, but also a unique port # to use with that address. More than
64000 port numbers per IP. This also requires an ACL.
NAT defines addresses in the following manner:
 Inside Local – “inside private”. A host inside your network. A private IP as it
appears on your own LAN.
 Inside Global – Your client with its public IP address (public IP)
 Outside Local – The IP of an outside host as it appears inside your LAN.
 Outside Global – the IP of an outside host as it appears on their LAN.
NAT Configuration
General
Ip nat [inside | outside]
Ip nat inside source [list (ACL# | ACL name) | route-map name][interface type # | pool name]
[overload]
Ip nat inside destination list
Ip nat outside source
Ip nat pool MyPool 10.1.1.1 10.1.1.254 netmask 255.255.255.0
Static NAT Config
interface fa0/0
ip nat inside
interface s0/0
33
ip nat outside
exit
ip nat inside source 10.1.1.2 200.1.1.2
ip nat inside source 10.1.1.1 200.1.1.1
Dynamic NAT Config
interface fa0/0
ip nat inside
interface s0/0
ip nat outside
exit
ip nat pool mypool 200.1.1.1 200.1.1.2 netmask 255.255.255.242
ip nat inside source list 1 pool mypool
access-list 1 permit 10.1.1.2
access-list 1 permit 10.1.1.1
PAT Configuration
interface fa0/0
ip nat inside
interface s0/0
ip nat outside
exit
ip nat inside source list 1 interface serial0/0 overload
access-list 1 permit 10.1.1.0 0.0.0.255
NAT Exec Commands
show ip nat statistics
show ip nat translations [verbose]
clear ip nat translation [* | inside global-ip local-ip]
clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip
global ip]
debug ip nat
Secondary IP Addressing
When a network runs out of IPs, it may not be possible to up the mask to include more, as
the other consecutive IPs might be spoken for. Re-IPing a network is possible, but a lot of
work. Secondary Addressing uses multiple networks or subnets on the same data link.
interface ethernet0
ip address 10.1.7.252 255.255.255.0 secondary
ip address 10.1.2.252 255.255.255.0
A “show ip route” shows both routes as directly connected.
FTP and TFTP
FTP
TFTP
Uses TCP
Uses UDP
Uses robust control commands
Uses simple control commands
Sends data over TCP connection separate
Uses no connections because of UDP
from control commands
Requires more memory
Requires less memory
MTU and Fragmentation
Maximum Transmission Unit is 1500. Routers fragment this 1500 byte value into smaller
chunks that a wire can handle. Reassembly is done at the endpoint host.
34
mtu #
ip mtu
Sets the size
Sets the value used for IP
ISL and 802.1Q Config on Routers
VLAN trunking between a switch and a router.
interface fastethernet 0/1
ip address 10.1.1.1 255.255.255.0
encapsulation isl 1
interface fastethernet 0/2
ip address 10.1.2.1 255.255.255.0
encapsulation isl 2
The 1 and 2 refer to VLAN numbers. Conversely, this configuration can be done with
dot1q:
interface fastethernet 0/1
ip address 10.1.1.1 255.255.255.0
encapsulation dot1q 1
interface fastethernet 0/2
ip address 10.1.2.1 255.255.255.0
encapsulation dot1q 2
35
Point-To-Point Leased Line Implementation
Leased Line – Dedicated, always on circuit between two end points. i.e. a T1 (HDLC,
PPP, SLIP)
Circuit Switching / Dial – Provides dedicated bandwidth between two points, but only
for the duration of the call. i.e. ISDN (HDLC, PPP, SLIP)
Packet Switching – Virtual circuits between pairs of sites. i.e. Fram Relay, ATM, X.25
DTE – Your stuff
DCE – Their stuff (typically)
Point-to-point interfaces between routes must be on the same subnet. Often a /30 mask is
ideal.
WAN Data Link Protocols
HDLC
 No error recovery, errors detected in the FCS are discarded
 No architected type field
 Cisco proprietary type field
 Synchronous links only
PPP
 Supports error recovery, but not enabled by default
 Has architected type field
 Asynchronous & synchronous communication
 Compression
 Callback
 Multilink
 Authentication
Configuration
interface fastethernet 0/1
encapsulation [hdlc | ppp]
compress [predictor | stac | mppc (ignore-pfc)]
show interfaces [type #]
show compress
show process cpu
PPP Specific
Uses Link Control Protocol (LCP), which provides core features. PPP is a true
multiprotocol communicator. For example, it can operate at layer three with IP using IP
control protocol (IPCP). IPCP provides for IP address assignments.
36
PPP uses one LCP link and one Control Protocol for each layer three protocol defined on
the link. So if a router ran IP, IPX, and Appletalk over one link, PPP would have an LCP
and a Control Link for each one.
 Error detection (link quality monitoring – LQM)
 Looped link detection
 Multilink support (redundant serial links between two routers)
 Authentication (PAP and CHAP)
NCP – Network Control Protocol. Method of establishing and configuring different
network layer protocols.
LQM may detect excessive errors and PPP may shut down the offending interface.
Without a redundant link, however, this feature would be undesirable.
PAP & CHAP
To prove that the router you are talking to is really the router you think it is,
authentication is used.
Password Authentication Protocol (PAP) and Challenge Handshake Authentication
Protocol (CHAP) both require an exchange of messages between devices. PAP sends
clear text password and CHAP uses a one way hash algorithm, with input to the
algorithm being the password and a random number. The challenging router must run the
algorithm against the same learned, random number to get the password and then accept
the communication. CHAP does periodic checkups as well.
PAP and CHAP authentication
failures would show up as UP /
DOWN on an interface.
Router One
username Router_Two password Cheese
interface serial 0
encapsulation ppp
ppp authentication chap
Router Two
username Router_One password Cheese
interface serial 0
encapsulation ppp
ppp authentication chap
Note that the username equals the name of the router on the other side of the link.
37
ISDN Dial-On-Demand


Provides switched (dialed) WAN services in increments of 64kbps.
Popular (in its day) as a backup for frame relay and other “Always on” WAN
links.
ISDN Channels
Type
# of B Channels
# of D Channels
Descriptive Term
BRI
2
1 (16 kbps)
2B+D
PRI (T1)
23
1 (64 kbps)
23B+D
PRI (E1)
30
1 (64 kbps)
30B+D
B channels can send both voice and data. D channels are used for signaling.
ISDN Protocols
Issue
Telephone network and
ISDN
Protocol
E-Series
ISDN concepts, aspects,
and interfaces
I-Series
Switching and signaling
Q-Series
OSI Layer
I-Series
1: Cabling,
encoding
ITU-T I.430
ITU-T I.431
Key Examples
E.163 – International telephone numbering
plan.
E.164 – International ISDN addressing.
I.100 Series – Concepts structures, and
terminology.
I.400 Series – User network interface (UNI)
Q.921 – Link Access procedure on the DChannel (LAPD)
Q.931 – ISDN network layer
Equivalent
Q-Series
-
Description
Defines connectors
encoding, framing, and
reference points
2: LAPD, Signaling ITU-T I.440
ITU-T Q.920 Defines LAPD protocol
ITU-T I441
ITU-T Q.921 used on the D channel to
encapsulate signaling
request
3: Setup / Teardown ITU-T I.450
ITU-T Q.930 Defines signaling
ITU-T I.451
ITU-T Q.931 messages, such as call
setup and teardown
messages.
D channel uses LAPD. LAPD provides data-link protocol that allows delivery of
messages across that D channel to the local switch. Uses a Service Profile Identifier
(SPID) to perform authentication.
38
Function Groups and Reference Points


Function Group – a set of functions implemented by a device and software
Reference Point – the interface between two function groups including cabling
details. (layer one)
U, S/T, S: ISDN card interface types
R: Serial interface (no ISDN hardware / software on router)
Function Groups
TE1, NT1
TE1
TE2
TE1
Function Groups
TE1
TE2
TA
NT1
NT2
NT1/NT2
Reference Point
Reference Points
Connected With
U
S/T
R
S
Definition
Terminal
Equipment 1
Terminal
Equipment 2
Terminal Adapter
Network
Termination 1
Network
Termination 2
-
Types of Interface Used
ISDN Card, U interface
ISDN Card, S/T interface
Serial Interface
ISDN Card, S/T interface
Description
4-wires ISDN capable
R reference, connects to TA
Uses R + S reference points
CPE. U interface. 2-wire connects
with T or S reference points.
T reference point. Outside North
America or NT1 inside. Uses S
reference point to another CPE.
Combined in the same device.
Common in North America.
What it comes between
39
R
S
T
U
S/T
TE2 and TA
TE1 or TA and NT2
NT2 and NT1
NT1 and Telco
TE1 or TA, connected to an NT1 when no NT2 is used. Or the
connection from a TE1 or Ta to a combined NT1/NT2
ISDN Commands
isdn switch-type type
int bri0
isdn switch-type type
BRI
int bri0
isdn spid1 51055510000001 5551000
isdn spid2 51055510010001 5551001
dialer-group x
PRI
isdn switch-type type
controller t1 1/0
framing [sf | esf]
linecode [ami | b8zs | hdb3]
pri-group timeslots [1-24]
interface serial0/0:x
sho isdn [status | dialer]
sho dialer
debug ppp [negotiation | authentication]
debug isdn [q921 | q931]
debug dialer [events | packets]
Dialer Profile option 1
dialer-list 1 protocol ip permit
int dialer 0
dialer-group 1
Dialer Profile option 2
dialer-list 2 protocol list 150
access-list 150 deny udp any any eq teftp
access-list 150 deny tcp any any eq telnet
access-list 150 permit ip any any
int dialer 0
dialer-group 2
40
Frame Relay
Term
Virtual Circuit (VC)
Permanent Virtual Circuit (PVC)
Switched Virtual Circuit (SVC)
Data Terminal Equipment (DTE)
Data Communications Equipment
(DCE)
Access Link
Access Rate (AR)
Data-Link Connection Identifier
(DLCI)
Nonbroadcast Multi-Access (NBMA)
Local management Interface (LMI)
Description
Logical concept of the path that frames travel
between DTEs
Predefined VC. A PVC can be equated to a
leased line in concept.
A VC that is set up dynamically when needed.
Can be equated to a dial connection.
Typically a company’s routers at their sites.
Connect to he provider’s FR switch.
Frame Relay switches. Typically in the
provider’s network. Can be CSUs, can provide
clocking.
Leased line between DTE and DCE. Physical.
Speed that the access link is clocked
Frame Relay address used in FR headers to
identify a VC
Broadcasts are not supported, but more than two
devices may be connected
Protocol between DTE and DCE to manage the
connection. Signaling messages, keepalives, etc.
Frame relay is defined by documents from the International Telecommunications Union
(ITU) and the American National Standards Institute (ANSI).
Specification
Data-link specs including LAPF
header / trailer
PVC Management-LMI
SVC Signaling
Multiprotocol Encapsulation
ITU Document
Q.922 Annex A
ANSI Document
T1.618
Q.933-A
Q.933
Q.933 Annex E
T1.617-D
T1.617
T1.617 Annex F
41
Virtual Circuits share the same access link and Frame Relay network. DLCI numbers sort
out which link is which.
Since the provider shares the cloud with more than one company, Frame Relay offers
Committed Information Rate (CIR). Each VC has a CIR, which is guaranteed by the
provider to offer a certain bandwidth.
To calculate the # of links needed for a fully meshed network, use the
formula of n(n-1)/2 where n = the number of sites.
Example:
10 sites yields 10(10-1)/2 = 45
LMI and Encapsulation Types
LMI is a definition of messages used between the DTE and DCE. Encapsulation defines
the headers used by a DTE to communicate some information to the DTE on the other
end of a VC.
LMI Status Inquiry Message – Access Link and VC.
 Perform a keepalive function between DTE and DCE (access link)
 Signal whether a PVC is active or inactive (vc)
LMI Protocol Option
Cisco
ITU
ANSI
Document
Proprietary
T1.617 Annex D
Q.933 Annex A
IOS LMI Type
cisco
ansi
q933a
The DTE needs to know which type of LMI to use so it can use the same as the one the
FR switch is using.
frame-relay lmi-type [cisco | ansi | q933a]
Encapsulation and LAPF
A Frame Relay connected router encapsulates each layer three packet inside a FR header
and trailer before it is sent out across an access link. Header and trailers are defined by
42
the Link Access Procedure Frame Bearer Services (LAPF) specification, ITU-Q.922-A
and provide:
 Error detection (FCS)
 DLCI
 DE
 FECN
 BECN
Does not contain a protocol field, so if the frame came to the DTE without a protocol
field define din its Data-Link header (i.e. it is only using the LAPF header), then the DTE
cannot support multiprotocol traffic because there is no way to tell IP from IPX without
that information in the header.
To compensate for the absence of the protocol field in the LAPF header:
 An additional header that goes between the LAPF header and L3 packet. 2-byte
protocol type field. With the values matching the same field used for HCLC by
Cisco.
 RFC 1490 (which became RFC 2427) “Multiprotocol Interconnect over Frame
Relay”. ITU and ANSI conform to this. Header includes protocol type field.
DTEs care about these encapsulation types and specs but frame relay switches ignore
these fields. FR fields only care about LMI standards. Both DTEs at either end must use
the same encapsulation. The two types of encapsulation are ietf and cisco.
DTE and DTE = Same encapsulation (ieft, cisco)
DTE and FR Switch = same LMI Type (ansi, cisco, q933a)
DLCI Addressing
DLCI numbers are locally significant. A router can use the same number to define one of
its VCs as another router uses to define one of its VCs and no conflict will occur. Global
Addressing makes DLCI addressing look like LAN addressing, conceptually, and forces
a unique number for each VC in the mesh. In this scenario, a router will have a global and
a local DLCI for each VC.
 The sender treats the DLCI field as a destination address, using the destination’s
global DLCI in their header.
43

The receiver thinks the DLCI field is the source address, because it contains the
global DLCI of the frame’s sender
Frame Relay switches change the DLCI value before delivery. This is how the receiving
DTE knows where the frame came from. Inverse ARP dynamically creates a mapping
from L3 (IP) to L2 (DLCI). Or the mapping can be done statically with the “map”
command.
Layer Three Addressing



One subnet for all DTEs
One subnet per VP
A hybrid of both (two or more VCs in one subnet, and the rest in their own)
Broadcast Handling
A router can be told how to forward broadcasts to manage overhead. For example, Frame
Relay is nonbroadcast multi-access, but with the “map” command it is possible to force
traffic to broadcast. In the below example, the IP of 10.1.1.1 maps to DLCI 40 and is set
to broadcast.
frame-relay map ip 10.1.1.1 40 broadcast
Frame Relay Service Interworking
Most providers build their core with ATM so their FR switches sit on the edge of an
ATM network.
Frame Relay Forum document FRF.5 defines how a frame relay switch can convert from
a Frame Relay VC to an ATM Virtual Connection (also called a VC) and back into a
frame relay VC. The end result is transparent to the two costumer routers.
Another standard defines how one router connects to a frame relay switch and the other
connects to an ATM switch. This document is FRF.8.
44
Default Frame Relay Settings




LMI type is automatically sensed (learned from other FR switches)
Default encapsulation type for the DTEs is cisco
PVC DLCIs are learned via LMI status messages
Inverse ARP is enabled by default and is triggered when the status message
declaring that the VCs are up is received.
LMI Reports on the status of Virtual Circuits. The VC will be in one of three states:
 Active – Everything is fine. Information is being transferred
 Inactive – Routers interface is up, but remote router is not
 Deleted – No LMI information is being transferred. Possible mapping problem or
line failure.
Frame Relay Congestion Control



DE (Discard Eligibility) – When the frame relay detects congestion, it attaches a
DE bit on the frame relay packet header. Packets with these bits are discarded first
if the switch is congested.
FECN (Forward Explicit Congestion Notification) – Frame relay detects
congestion. The switch will set the FECN bit to 1 in the frame relay packet
header. These packets, when they arrive at the DCE, announce that the path they
just traversed is congested.
BECN (Backwards Explicit Congestion Notification) – Same as FECN, but the
bit is sent to the source (DTE).
Frame Relay Commands
encapsulation frame-relay [ietf | cisco]
frame-relay lmi-type [ansi | q933a | cisco]
bandwidth #
frame-relay map [prot prot-address dlci] payload-compression frf9 stac caim
keepalive seconds
interface serial s0/0 [point-to-point | multipoint]
frame-relay interface-dlci dlci [ieft | cisco] [voice-cir cir] [ppp virtual-template name]
show frame-relay [interface int][dlci]
show frame-relay lmi [type#]
show frame-relay pvc
no frame-relay inverse-arp
frame-relay map ip 199.1.1.1 51 broadcast
frame-relay map ip 199.1.1.2 52 broadcast
45
Partial Mesh with one Subnet Per VC
interface serial 0
encapsulation frame-relay
interface serial 0.1 point-to-point
ip address 140.1.1.1 255.255.255.0
frame-relay interface-dlci 52
interface serial 0.2 point-to-point
ip address 140.1.3.1 255.255.255.0
frame-relay interface-dlci 53
Fully Meshed / One IP Subnet
(Router One)
interface serial 0
encapsulation frame-relay
ip address 199.1.1.1 255.255.255.0
(Router Two)
interface serial 0
encapsulation frame-relay
ip address 199.1.1.2 255.255.255.0
Partial Mesh Hybrid
interface serial 0
encapsulation frame-relay
interface serial 0.1 multipoint
ip address 140.1.1.1 255.255.255.0
frame-relay interface-dlci 502
frame-relay interface-dlci 503
interface serial 0.2 point-to-point
ip address 140.1.2.1 255.255.255.0
frame-relay interface-dlci 504
46
IP Access Control List Security
Internal processing in a router in relation to where the router can filter packets:








Packets can be filtered as they enter an interface, before the routing decision
Packets can be filtered before they exit an interface, after the routing decision
Deny refers to filtering
Permit refers to not filtering
Filtering logic is configured in the access list
Implicit deny at the end of any ACL
ACLs use wild card masks
ACLs have two steps in their logic: Matching and Action
To find an IP’s wildcard, take a 0 for 255s, take a 255 for a 0, and for
anything subnetted, subtract that number from 255.
i.e.: to convert 255.255.252.0 to a wild card, take 0s for 255 for 0.0. and
then subtract 252 from 255 to get 3. Finally take a 255 for a 0 to wind up
with 0.0.3.255.
Standard ACLs
Standard ACLs can match the source IP or portions of the source IP (with a wild card
mask). They cannot be used to identify ports or protocols.
access-list [1 – 99] [deny | permit] source ip [source wildcard] [log]
access-list [1 – 99] remark text
ip access-group [* | name | [in | out]]
Interface Subcommand to enable ACL
access-class [* | name | [in | out]]
VTY Subcommand for Telnet
47
show access-lists [1 – 99 | name]
show ip access-list [1 – 99 | name]
Example:
interface ethernet0
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
access-list 1 remark Deny one host
access-list 1 deny 172.16.3.10 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255
OR
access-list 1 deny host 172.16.3.10
access-list 1 permit any
no access-list 1
Extended ACLs
Can match source IP or portion of source IP, destination IP (or portion), protocol type,
and source and destination port.
access- list [100 – 199] [deny | permit] protocol source-ip source-wildcard [eq source-port]
destination-ip destination-wildcard [eq destination-port] [log | log-input]
access-list [100 – 199] remark text
ip access-group [* | name | [in | out]]
Interface Subcommand to enable ACL
access-class [* | name | [in | out]]
VTY Subcommand for Telnet
show access-lists [100 – 199 | name]
show ip access-list [100 – 199 | name]
Examples:
access-list 101 deny tcp host 10.1.1.1 any eq telnet
access-list 101 deny ip any host 10.1.1.1
access-list 101 deny tcp any gt 1023 host 10.1.1.1 eq 23
access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any
access-list 101 deny icmp any any echo-reply
access-list 101 permit any any
denies anything with a source port
greater than 10232
lt = less than
Named ACLs



Names instead of numbers
Delete lines individually
Named IP access list submode
Creating:
ip access-list extended TenNet
> permit tcp host 10.1.1.2 eq www any
> deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
>permit ip any any
>interface serial0
Ip access-group TenNet out
Making Changes:
48
ip access-list extended TenNet
> no deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
> exit
Controlling Telnet Access with ACLs
line vty 0 4
login
password cisco
access-class 3 in
^Z
access-list 3 permit 10.1.1.0 0.0.0.255
Recommendations





Create ACLs in a text editor to get it right, save for editing later, etc. Copy and
paste to a router
Place extended ACLs close to the source to discard packets early
Place standard ACLs close to the destination
Place more specific statements early in an ACL
Disable an ACL from its interface using “no ip access-group” before making
changes to it.
49
Related documents
prelab2
prelab2
CCNA 2 - Chapter 8 Study Guide 1. Why
CCNA 2 - Chapter 8 Study Guide 1. Why
CCNA 1v4 SkillsorPracticeSkills Ans v2
CCNA 1v4 SkillsorPracticeSkills Ans v2
Assignment 1
Assignment 1
Teaching VLSM - Texas Exercise 1
Teaching VLSM - Texas Exercise 1
Chapter 5 - Northampton Community College
Chapter 5 - Northampton Community College
Packet Tracer Activi..
Packet Tracer Activi..
If your Internet is not working please try the following steps before
If your Internet is not working please try the following steps before
CNS Skills practice test CCNA2
CNS Skills practice test CCNA2
Download
advertisement